Front 


Security and Compliance Handbook 


Introducing Front 


Front is the inbox for teams that gives you access to the people, messages, and apps you need to get work done. It turns your 
email inbox into a flexible platform where you can easily organize communication, get context for decisions, and take action 


faster with your team. Today, more than 5,500 customers trust Front to protect their most sensitive assets. 


Front’s Commitment to Security 


Since our customers’ inboxes are their most extensive bank of confidential information, privacy and reliability have been at the 


core of our business since day one. 


As an organization, Front strives to build a secure application in accordance with security best practices to uphold the 
confidentiality, integrity, and availability of our customers’ data. In the spirit of transparency, this document describes the 


systems and security practices we have in place to protect your sensitive data. 


Enterprise Architecture 


AWS Cloud 


So Hosted on Amazon Web Services (AWS), 
Analytics 
designed to provide 99.99% availability, with 


services hosted regionally from the US and 
the EU. Amazon S3 Amazon RDS 


Files stored in encrypted Database encrypted 
blocks atrest 


v Content Server is hosted on AWS S3 and hg Memcached 


Content Server Meta Server Q Elasticsearch 


Metadata Server is built on Amazon's 
Relationship Database Service (RDS). a MESRERIS GENO, 


o All systems and services are equipped with Virtual Private Cloud 


integrated failover and fault tolerance with 





multiple availability zones for redundancy. ÔÊ ms12 


oS Built with a distributed architecture, where all 
services are contained within a protected VPC Ee o 


environment using individual security groups 


Mobile Desktop Web API 


and AWS SQS message queues. 
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Security Controls 


x All business systems follow the principle of least privilege. 


w Sensitive administrative actions trigger notifications, 
which are reviewed in real time and are written to an 


immutable log. 


¥_ All production systems require VPN and multi-factor 


authentication. 


w Application source code is stored in a secure 


environment and changes go through a peer review 


process. 
v 
Front has dedicated staging environments for 
development and testing, separate from production. 
v 


All company-owned assets are encrypted and have MDM 


technology installed, allowing Front IT admins to remotely 


wipe devices. 





Compliance Har 


Data Privacy 


All data in transit is secured with TLS 1.2 encryption and 
data at rest is secured through RDS and S3 services 


using AES 256-bit encryption. 


All API and client communication (desktop, web, and 


mobile) require HTTPS connections. 


All customer data is logically separated and tied to an 
enterprise ID that is used to validate requests during data 


retrieval processes. 


Front has security monitoring technology in place to 


detect system anomalies. 


Customers can dictate which geographic location hosts 
their data. 





Compliance 


«w Frontis SOC 2 Type 1and 
Type 2 compliant. Front has 
developed an ISMS based on 
ISO 27001 standards. 





v Front adheres to the EU/US and EU/Switzerland Privacy 
Shield framework and is compliant with GDPR and CCPA. 


Front conducts annual third party vulnerability audits 


w and security pentests. The last pen test was conducted 


in Sept 2020. 
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Governance 


All employees go through background checks prior 


to employment. 


All employees undergo general security training and 


testing as part of Front’s standard onboarding process. 


Engineers go through additional security trainings and 


tests before gaining access to production systems. 


Front handles sensitive data through our mature 
information security management system to minimize 


risk and combat security breaches. 


Front has a defined information security response 
program to detect and respond to incidents, recover 
service, and maintain business continuity in the event 


of a disaster. 
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Enterprise Application Security 





Compliance t 


Front was designed to create a secure and collaborative experience for companies and their teams. To ensure Front can be 


deployed in compliance with the security needs of your organization, we’ve developed a suite of security features, some of 


which are highlighted below. 


Multi-Factor Authentication 


Individuals and administrators can enable two-factor 
authentication, which adds an extra layer of security 
to their Front account. 


Multi-Team Workspaces 


The Teams feature allows organizations to build 
multiple workspaces, each containing its own 
resources like tags, rules, responses, and analytics 
within one Front account. 


IP Restrictions 


Company administrators can whitelist the IP 
addresses from which their employees can 
access Front. 


Gmail/Office365 OAuth 


Front securely connects to full Gmail and Office365 
accounts through an OAuth process that also enables 
Front to support 2-way sync with email providers. 
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Admin Access Controls 


Front’s admin console provides administrators 
access to manage teammate settings like signatures 
and preferences, giving them heightened control 
over each user’s workspace. 


Roles & Permissions 


Administrators can define user roles with a 
customized set of permissions, like allowing certain 
users to create rules or restricting them from 
responding to messages. 


Conversation Audit Trail 


All user, rule, or API activities will generate an activity 
history that will be logged to the conversation for 
audit purposes. 


Delegated Inboxes 


A Front user can delegate their individual workspace 
to another teammate, enabling them to manage their 
teammate’s work queue without having to share login 
credentials. 
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Frequently Asked Questions 


Does Front retain a copy of my communication data? 


Yes. Front securely saves a copy of every communication received to our EU or US AWS servers. This enables Front to 
associate Front-specific actions like assignment and comments, which don’t translate to Exchange and Gmail, to the 
conversation. Additionally, this allows Front to deliver a seamless and quick experience to end users as they navigate 


and search in the platform. 


Can I request Front to delete my data? 


In compliance with GDPR, Front will delete any company’s data once an explicit request is submitted and the 
requester’s identification is properly validated. All deletion requests will be completed immediately, but metadata can 


take up to 10 days to be purged from backups. 


What types of personal data does Front store? 


Customers may submit personal data to Front, the extent of which is determined and controlled by the customer in its 
sole discretion, which may include, but not be limited to the following categories of personal data: First and last name, 
Title, Job Title, Employer, Contact information (company, email, phone, physical business address, social networks), IP 

address, Localization data, Signature, Pictures, Interaction with end user, Web application usage, Data relating to data 
subject’s interaction with email communication in connection with Frontapp’s email tracking feature. More information 


can be found in Front’s Terms of Service (frontapp.com/terms-of-service). 


What subprocessors does Front have? 


Front has partnerships with two subprocessors: Amazon Web Services (AWS) and SendGrid. Amazon Web Services 
provides infrastructure as a service, which Front leverages in the capacity to store customer data. SendGrid is a 
cloud-based SMTP provider that Front leverages to deliver outbound messages for companies that don’t utilize Front’s 


native Gmail or Office365 connectors, or don’t have a custom SMTP setup of their own. 
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